Project

General

Profile

strongSwan plugins » History » Version 81

Tobias Brunner, 17.09.2018 18:58
botan added

1 1 Martin Willi
h1. strongSwan plugins
2 1 Martin Willi
3 49 Tobias Brunner
The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.
4 1 Martin Willi
5 48 Martin Willi
Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.
6 1 Martin Willi
7 25 Tobias Brunner
h2. Plugins for current releases
8 1 Martin Willi
9 49 Tobias Brunner
|*Plugin Name*          |*E*|*S*|*Description*|
10 1 Martin Willi
|\4. _E = Enabled by default (plugins can be enabled/disabled using their respective [[AutoConf|./configure options]])_
11 1 Martin Willi
_S = Plugin status: s = stable, e = experimental, d = under development/incomplete_ |
12 49 Tobias Brunner
|\4(level1).*libstrongswan plugins*|
13 64 Tobias Brunner
|acert                                    | |s|Support of X.509 attribute certificates (since version:5.1.3)|
14 49 Tobias Brunner
|aes                                      |x|s|AES-128/192/256 cipher software implementation|
15 60 Tobias Brunner
|aesni                                    | |s|Intel AES-NI crypto plugin (since version:5.3.1)|
16 49 Tobias Brunner
|af-alg                                   | |s|AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc|
17 49 Tobias Brunner
|agent                                    | |s|RSA/ECDSA private key backend connecting to SSH-Agent|
18 64 Tobias Brunner
|[[BLISS|bliss]]                          | |s|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since version:5.2.2)|
19 49 Tobias Brunner
|blowfish                                 | |s|Blowfish cipher software implementation|
20 81 Tobias Brunner
|botan                                    | |s|Crypto backend based on "Botan":https://botan.randombit.net/, provides RSA/ECDSA/DH/ECDH/X25519/ciphers/hashers/HMAC/RNG (since version:5.7.0)|
21 49 Tobias Brunner
|ccm                                      | |s|CCM cipher mode wrapper|
22 68 Andreas Steffen
|chapoly                                  | |s|ChaCha20/Poly1305 AEAD implementation (since version:5.3.3) and ChaCha20 XOF (since version:5.5.1)|
23 49 Tobias Brunner
|cmac                                     |x|s|CMAC cipher mode wrapper|
24 49 Tobias Brunner
|[[ConstraintsPlugin|constraints]]        |x|s|X.509 certificate advanced constraint checking|
25 49 Tobias Brunner
|ctr                                      | |s|CTR cipher mode wrapper|
26 50 Martin Willi
|[[curl]]                                 | |s|libcurl based HTTP/FTP fetcher|
27 69 Andreas Steffen
|curve25519                               |x|s|X25519 DH group and Ed25519 public key authentication (since version:5.5.2)|
28 49 Tobias Brunner
|des                                      |x|s|DES/3DES cipher software implementation|
29 49 Tobias Brunner
|dnskey                                   |x|s|Parse "RFC 4034":http://tools.ietf.org/html/rfc4034 public keys|
30 56 Tobias Brunner
|files                                    | |s|Fetcher for local file:// URIs (since version:5.3.0)|
31 49 Tobias Brunner
|fips-prf                                 |x|s|PRF specified by FIPS, used by EAP-SIM/AKA algorithms|
32 49 Tobias Brunner
|gcm                                      | |s|GCM cipher mode wrapper|
33 49 Tobias Brunner
|gcrypt                                   | |s|Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng|
34 49 Tobias Brunner
|gmp                                      |x|s|RSA/DH crypto backend based on libgmp|
35 49 Tobias Brunner
|hmac                                     |x|s|HMAC wrapper using various hashers|
36 64 Tobias Brunner
|keychain                                 | |e|Mac OS X Keychain Services credential set (since version:5.1.0)|
37 49 Tobias Brunner
|ldap                                     | |s|LDAP fetching plugin based on libldap|
38 49 Tobias Brunner
|md4                                      | |s|MD4 hasher software implementation|
39 1 Martin Willi
|md5                                      |x|s|MD5 hasher software implementation|
40 68 Andreas Steffen
|mgf1                                     | |s|MGF1 mask generation function (since version:5.5.1)|
41 49 Tobias Brunner
|mysql                                    | |s|MySQL database backend based on libmysqlclient|
42 67 Andreas Steffen
|[[NewHope|newhope]]                      | |s|Key exchange based on post-quantum computer New Hope algorithm (since version:5.5.1)|
43 64 Tobias Brunner
|nonce                                    |x|s|Default nonce generation plugin (since version:5.0.0)|
44 64 Tobias Brunner
|[[NTRU|ntru]]                            | |s|Key exchange based on post-quantum computer NTRU encryption (since version:5.1.2)|
45 49 Tobias Brunner
|openssl                                  | |s|Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG|
46 49 Tobias Brunner
|padlock                                  | |e|VIA padlock crypto backend, provides AES128/SHA1|
47 49 Tobias Brunner
|pem                                      |x|s|PEM encoding/decoding routines|
48 49 Tobias Brunner
|pgp                                      |x|s|PGP encoding/decoding routines|
49 49 Tobias Brunner
|pkcs1                                    |x|s|PKCS#1 encoding/decoding routines|
50 49 Tobias Brunner
|pkcs7                                    |x|s|PKCS#7 encoding/decoding routines|
51 49 Tobias Brunner
|pkcs8                                    |x|s|PKCS#8 decoding routines|
52 49 Tobias Brunner
|[[PKCS11Plugin|pkcs11]]                  | |s|PKCS#11 smartcard backend|
53 64 Tobias Brunner
|pkcs12                                   |x|s|PKCS#12 decoding routines (since version:5.1.0)|
54 49 Tobias Brunner
|pubkey                                   |x|s|Wrapper to handle raw public keys as trusted certificates|
55 49 Tobias Brunner
|random                                   |x|s|RNG reading from /dev/[u]random|
56 64 Tobias Brunner
|rc2                                      |x|s|RC2 cipher software implementation (since version:5.1.0)|
57 64 Tobias Brunner
|rdrand                                   | |e|High quality / high performance random source using the Intel _rdrand_ instruction found on Ivy Bridge processors (since version:5.0.2)|
58 49 Tobias Brunner
|revocation                               |x|s|X.509 CRL/OCSP revocation checking|
59 1 Martin Willi
|sha1                                     |x|s|SHA1 hasher software implementation|
60 62 Andreas Steffen
|sha2                                     |x|s|SHA2_224/SHA2_256/SHA2_384/SHA2_512 hasher software implementation|
61 68 Andreas Steffen
|sha3                                     | |s|SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation (since version:5.3.4) and SHAKE128/SHAKE256 XOF (since version:5.5.1)|
62 49 Tobias Brunner
|soup                                     | |s|libsoup based HTTP fetcher|
63 49 Tobias Brunner
|sqlite                                   | |s|SQLite database backend based on libsqlite3|
64 64 Tobias Brunner
|sshkey                                   |x|s|SSH key decoding routines (since version:5.1.0)|
65 49 Tobias Brunner
|[[CryptoTest|test-vectors]]              | |s|Set of test vectors for various algorithms|
66 64 Tobias Brunner
|unbound                                  | |s|DNSSEC enabled resolver using libunbound (since version:5.0.3)|
67 64 Tobias Brunner
|[[winhttp]]                              | |s|WinHTTP based HTTP/HTTPS fetcher for Windows platform (since version:5.2.0)|
68 49 Tobias Brunner
|x509                                     |x|s|Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages|
69 49 Tobias Brunner
|xcbc                                     |x|s|XCBC wrapper using various ciphers|
70 49 Tobias Brunner
|\4(level1).*libcharon plugins*|
71 74 Noel Kuntze
|[[AddrblockPlugin|addrblock]]            | |s|Narrow traffic selectors to "RFC 3779":http://tools.ietf.org/html/rfc3779 address blocks in X.509 certificates|
72 49 Tobias Brunner
|android-dns                              | |s|[[Android]]-specific DNS handler plugin (since version:5.0.3)|
73 49 Tobias Brunner
|android-log                              | |s|[[Android]]-specific logger plugin|
74 65 Tobias Brunner
|[[AttrPlugin|attr]]                      |x|s|Provides IKE attributes configured in strongswan.conf|
75 65 Tobias Brunner
|[[AttrSQL|attr-sql]]                     | |s|Provides IKE attributes read from a database to peers|
76 72 Tobias Brunner
|[[bypass-lan]]                           | |e|Automatically installs and updates bypass policies for locally attached subnets (since version:5.5.2)|
77 49 Tobias Brunner
|[[CertExpire|certexpire]]                | |s|Export expiration dates of used certificates|
78 76 Tobias Brunner
|[[counters]]                             | |s|Provides IKE performance counters (queryable via [[swanctl]]/[[vici]] or [[Ipseccommand|ipsec]]/stroke, since version:5.6.1)|
79 49 Tobias Brunner
|[[CertCoupling|coupling]]                | |s|Permanent peer certificate coupling|
80 78 Andreas Steffen
|[[DHCPPlugin|dhcp]]                      | |s|Request [[VirtualIP|virtual IP]] address from a DHCP server|
81 64 Tobias Brunner
|[[connmark]]                             | |e|Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since version:5.3.0)|
82 64 Tobias Brunner
|dnscert                                  | |s|Provides authentication via CERT RRs protected by DNSSEC (since version:5.1.1)|
83 49 Tobias Brunner
|[[Duplicheck|duplicheck]]                | |s|Advanced duplicate checking with liveness test and notifications|
84 49 Tobias Brunner
|eap-aka                                  | |s|Generic EAP-AKA protocol handler using different backends|
85 73 Tobias Brunner
|eap-aka-3gpp                             | |s|EAP-AKA backend implementing 3GPP MILENAGE algorithms in software (since version:5.6.0)|
86 73 Tobias Brunner
|eap-aka-3gpp2                            | |s|EAP-AKA backend implementing 3GPP2 algorithms in software|
87 64 Tobias Brunner
|[[eap-dynamic]]                          | |s|EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since version:5.0.1)|
88 49 Tobias Brunner
|[[EapGtc|eap-gtc]]                       | |s|EAP-GTC protocol handler authenticating with XAuth backends|
89 49 Tobias Brunner
|eap-identity                             | |s|EAP-Identity identity exchange algorithm, to use with other EAP protocols|
90 49 Tobias Brunner
|eap-md5                                  | |s|EAP-MD5 protocol handler using passwords|
91 49 Tobias Brunner
|eap-mschapv2                             | |s|EAP-MSCHAPv2 protocol handler using passwords/NT hashes|
92 49 Tobias Brunner
|eap-peap                                 | |s|EAP-PEAP protocol handler, wraps other EAP methods securely|
93 49 Tobias Brunner
|[[EapRadius|eap-radius]]                 | |s|EAP server proxy plugin forwarding EAP conversations to a RADIUS server|
94 49 Tobias Brunner
|eap-sim                                  | |s|Generic EAP-SIM protocol handler using different backends|
95 49 Tobias Brunner
|eap-sim-file                             | |s|EAP-SIM backend reading triplets from a file|
96 49 Tobias Brunner
|eap-sim-pcsc                             | |s|EAP-SIM backend based on a PC/SC smartcard reader|
97 49 Tobias Brunner
|eap-simaka-pseudonym                     | |s|EAP-SIM/AKA in-memory pseudonym identity database|
98 49 Tobias Brunner
|eap-simaka-reauth                        | |s|EAP-SIM/AKA in-memory reauthentication identity database|
99 49 Tobias Brunner
|[[EapSimakaSql|eap-simaka-sql]]          | |s|EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database|
100 49 Tobias Brunner
|[[EapTls|eap-tls]]                       | |s|EAP-TLS protocol handler, to authenticate with certificates in EAP|
101 49 Tobias Brunner
|eap-tnc                                  | |s|EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel|
102 49 Tobias Brunner
|eap-ttls                                 | |s|EAP-TTLS protocol handler, wraps other EAP methods securely|
103 1 Martin Willi
|[[ErrorNotifyPlugin|error-notify]]       | |s|Notification about errors via UNIX socket (since version:5.0.2)|
104 64 Tobias Brunner
|[[ext-auth]]                             | |s|Invokes an external script for custom authorization rules (since version:5.2.1)|
105 1 Martin Willi
|[[FARPPlugin|farp]]                      | |s|Fakes ARP responses for requests to a [[VirtualIP|virtual IP address]] assigned to a peer|
106 1 Martin Willi
|[[forecast]]                             | |e|Multicast and broadcast forwarding plugin (since version:5.3.0)|
107 64 Tobias Brunner
|[[HighAvailability|ha]]                  | |s|High-Availability clustering|
108 49 Tobias Brunner
|ipseckey                                 | |s|Provides authentication via IPSECKEY RRs protected by DNSSEC (since version:5.0.3)|
109 64 Tobias Brunner
|[[kernel-libipsec]]                      | |e|IPsec "kernel" interface in user-space using libipsec (since version:5.1.0)|
110 65 Tobias Brunner
|kernel-netlink                           |x|s|IPsec/Networking kernel interface using Linux Netlink|
111 64 Tobias Brunner
|[[kernel-iph]]                           | |e|Networking backend for the Windows platform, based on IPHelper APIs (since version:5.2.0)|
112 65 Tobias Brunner
|kernel-pfkey                             | |e|IPsec kernel interface using PF_KEY|
113 65 Tobias Brunner
|kernel-pfroute                           | |e|Networking kernel interface using PF_ROUTE|
114 64 Tobias Brunner
|[[kernel-wfp]]                           | |e|IPsec backend for the Windows platform, using the Windows Filtering Platform (since version:5.2.0)|
115 49 Tobias Brunner
|led                                      | |s|Let Linux LED subsystem LEDs blink on IKE activity|
116 1 Martin Willi
|[[Lookip|lookip]]                        | |s|Virtual IP lookup facility using a UNIX socket (since version:5.0.2)|
117 64 Tobias Brunner
|[[LoadTests|load-tester]]                | |s|Perform IKE load tests against self or a gateway|
118 49 Tobias Brunner
|maemo                                    | |e|Maemo 5 configuration/control backend, works with Maemo strongSwan applet|
119 49 Tobias Brunner
|medcli                                   | |d|Web interface based mediation client interface|
120 49 Tobias Brunner
|medsrv                                   | |d|Web interface based mediation server interface|
121 49 Tobias Brunner
|osx-attr                                 | |e|Mac OS X SystemConfiguration attribute handler (since version:5.1.0)|
122 66 Tobias Brunner
|p-cscf                                   | |s|Plugin that requests P-CSCF server addresses from an ePDG via IKEv2 (since version:5.4.0)|
123 64 Tobias Brunner
|[[RadAttrPlugin|radattr]]                | |s|Plugin to inject and process custom RADIUS attributes as IKEv2 client|
124 65 Tobias Brunner
|[[ResolvePlugin|resolve]]                |x|s|Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)|
125 80 Tobias Brunner
|save-keys                                | |s|Development/Debugging plugin that saves IKE and/or ESP keys to files compatible with Wireshark (since version:5.6.2)|
126 49 Tobias Brunner
|[[SMP|smp]]                              | |d|XML based strongSwan Management Protocol|
127 49 Tobias Brunner
|socket-default                           |x|s|Default socket implementation for IKE messages, enabled if pluto disabled|
128 49 Tobias Brunner
|socket-dynamic                           | |e|Dynamic binding socket implementation, capable of sending IKE messages on any port|
129 64 Tobias Brunner
|[[socket-win]]                           | |s|Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since version:5.2.0)|
130 1 Martin Willi
|[[SQL|sql]]                              | |s|SQL configuration backend reading configurations/credentials from a database|
131 75 Tobias Brunner
|stroke                                   |x|s|Deprecated stroke configuration/control backend, to use with ipsec script and starter|
132 1 Martin Willi
|[[IfMap|tnc-ifmap]]                      | |s|Trusted Network Connect IF-MAP 2.0 client|
133 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-pdp]]        | |s|Trusted Network Connect Policy Decision Point with RADIUS server interface|
134 64 Tobias Brunner
|[[SystimeFixPlugin|systime-fix]]         | |s|Handle invalid system time when checking certificates (since version:5.0.3)|
135 49 Tobias Brunner
|uci                                      | |d|OpenWRT UCI configuration backend|
136 49 Tobias Brunner
|unit-tests                               | |d|Unit tests to run during daemon startup|
137 64 Tobias Brunner
|[[UnityPlugin|unity]]                    | |s|Cisco Unity extensions for IKEv1 (since version:5.0.1)|
138 53 Martin Willi
|[[updown]]                               |x|s|Shell script invocation during tunnel up/down events|
139 65 Tobias Brunner
|[[Vici|vici]]                            |x|s|Versatile IKE Configuration Interface (since version:5.2.0, enabled since version:5.4.0)|
140 49 Tobias Brunner
|[[Whitelist|whitelist]]                  | |s|Check authenticated identities against a whitelist|
141 64 Tobias Brunner
|[[XAuthEAP|xauth-eap]]                   | |s|XAuth backend that uses EAP methods to verify passwords (since version:5.0.0)|
142 64 Tobias Brunner
|xauth-generic                            |x|s|Generic XAuth backend that provides passwords from [[XauthSecret|ipsec.secrets]] and other credential sets (since version:5.0.0)|
143 64 Tobias Brunner
|[[XauthNoauth|xauth-noauth]]             | |s|XAuth backend that does not do any authentication (since version:5.0.3)|
144 64 Tobias Brunner
|[[XAuthPAM|xauth-pam]]                   | |s|XAuth backend that uses PAM modules to verify passwords (since version:5.0.1)|
145 49 Tobias Brunner
|\4(level1).*libtnccs plugins*|
146 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-11]]       | |s|Trusted Network Connect protocol version 1.1|
147 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-20]]       | |s|Trusted Network Connect protocol version 2.0|
148 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-dynamic]]  | |s|Trusted Network Connect Dynamic protocol discovery|
149 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-imc]]        | |s|Trusted Network Connect Integrity Measurement Collectors|
150 1 Martin Willi
|[[TrustedNetworkConnect|tnc-imv]]        | |s|Trusted Network Connect Integrity Measurement Validators|
151 70 Andreas Steffen
|\4(level1).*libtpmtss plugins*|
152 70 Andreas Steffen
|[[TpmPlugin|tpm]]                        | |s|Access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 (since version:5.5.2)|
153 49 Tobias Brunner
154 47 Andreas Steffen
h2. Removed plugins
155 47 Andreas Steffen
156 25 Tobias Brunner
|*Plugin Name*          |*E*|*S*|*Description*|
157 49 Tobias Brunner
|\4(level1).*pluto plugins*|
158 49 Tobias Brunner
|xauth                                    |x|s|XAUTH authentication (removed with version:5.0.0)|
159 64 Tobias Brunner
|\4(level1).*libhydra plugins*|
160 65 Tobias Brunner
|\4(level2).All plugins were moved to _libcharon_ with version:5.4.0 (_attr_, _attr-sql_ and _resolve_ already with version:5.3.0)|
161 49 Tobias Brunner
|kernel-klips                             | |e|IPsec kernel interface to an older KLIPS version (removed with version:5.2.0)|
162 49 Tobias Brunner
|\4(level1).*libcharon plugins*|
163 64 Tobias Brunner
|android                                  | |s|[[Android]] configuration/control backend, worked with the [[AndroidFrontend|Android VPN applet patch]]. It was removed with version:5.0.3. The DNS handler was moved to a separate plugin.|
164 64 Tobias Brunner
|[[NetworkManager|nm]]                    | |s|NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since version:5.0.0|
165 64 Tobias Brunner
|socket-raw                               |x|s|RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with version:5.0.1)|